[ale] port forwarding for iptables.

JK jknapka at kneuro.net
Tue Jun 9 14:23:59 EDT 2009


Jim Kinney wrote:
> You need to ad the reverse forward to get the data back to the original system.
> 
> sysA port A -> iptables -> sysB port B to send data
> sysB port B -> iptables -> sysA port A to receive data


No, the DNAT target should handle this automagically.

What you DO need, though, is:

* Your FORWARD chain on the router has to be accepting this traffic; and

* You may also need a *route* on the target machine to get the traffic
back to the source, if the target machine doesn't know how to route traffic
to that host.  Or you could SNAT the forwarded traffic so the target machine
thinks it's coming from the router doing the forwarding.  I've used both of
those techniques, and I prefer to use standard routing rather than SNAT
when that's feasible.

(I have an unreasonably complicated network at home, and have to deal
with this stuff all the time :-P  )

-- JK


> It is possible to do this with -m state --state RELATED,ESTABLISHED -j ACCEPT
> I think it needs to be in the FORWARD/INPUT chain in filter table.
> (INPUT if the iptables machine is one of the sysA/sysB machines,
> FORWARD if just an intermediary machine).
> 
> This will also need ip_conntrack (connection tracking) module
> 
> On Tue, Jun 9, 2009 at 1:52 PM, Atlanta Geek<atlantageek at gmail.com> wrote:
>> The log fix was correct.  Thanks Jim,
>> I now see my PREROUTING log showing up
>> But the forwarding does not appear to be working.  any suggestions?
>>
>> On Tue, Jun 9, 2009 at 1:42 PM, JK<jknapka at kneuro.net> wrote:
>>> Jim Kinney wrote:
>>>> all of the -j LOG calls will never trigger because the packet has
>>>> already left the chain due to the line before it with the -j ACCEPT or
>>>> -j DNAT. Put the log before the jump call.
>>>>
>>>> -j REDIRECT is what you want to use. DNAT is for IP address. REDIRECT
>>>> is for port forwarding.
>>>
>>> If I am not mistaken, REDIRECT only allows you to forward to a port on
>>> the local machine.  If you want to forward on to another machine, you
>>> need DNAT.  "man iptables" backs me up on this, yay.
>>>
>>> -- JK
>>>
>>> --
>>> Still sigless.
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>
>>
>> --
>> http://www.atlantageek.com
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
> 
> 
> 


-- 
A closed mouth gathers no feet.


More information about the Ale mailing list